Primary Menu

Category: Raspberry Pi

In a previous article I described how to install and run the Port Scan Attack Detector (PSAD) on a Raspberry Pi. It is the closest thing to a full IDS that works on the Raspberry Pi and it's extremely easy to set up.

None of the existing visualization tools for PSAD data really met my needs, so I created a custom Python script that generates an HTML page from the live PSAD data.

On my own host running PSAD, there is a cronjob that runs this script every five minutes and uploads the output to an AWS S3 bucket. If the local configuration or the settings on the AWS side would be useful to anyone, let me know!

I have never gotten a full intrusion detection system (IDS) working correctly on a Raspberry Pi. The two most popular – Snort and Bro IDS – either have problems with their dependencies or the ARM architecture.

I recently came across PSAD – the Port Scan Attack Detector. It is essentially a collection of daemons that analyze iptables logs to identify patterns of malicious traffic. When used in conjunction with fwsnort, PSAD can also correlate blocked traffic with many of the "Emerging Threats" Snort rules.

PSAD was extremely easy to set up on a Raspberry Pi that's deployed as a catch-all DMZ host on my home network. Before diving into the details, you can see live data being collected by that host here: https://psad.disloops.com

There are plenty of articles online about the different things you can do with a Raspberry Pi. I recently bought a new one from Adafruit and I wanted to write down the steps I took to create a baseline configuration for future projects.

Setting Up Rasbian

I downloaded the latest version of Raspbian and burned it to a new micro SD card. I plugged that in along with some peripherals I bought:

The Raspberry Pi 3 actually has built-in WiFi but I thought I'd have a stronger connection using an external USB adapter.

After booting for the first time, I wanted to get rid of the default pi user. To do this, go to the start menu, open "Raspberry Pi Configuration" under "Preferences" and turn off the "Auto-Login" option. Then open a terminal and create a password for the root user: